TaskManager.Hijack ei lähde pois. Hjt Logi [sivu 2/2]

AfterDawn.com

AfterDawn.com Mainosta sivuillamme


		Käyttäjä	Salasana

		Puuttuuko tunnus? Liity jäseneksi nyt!. Salasana hukassa? Klikkaa tästä.

Yksityisviestit

Luo uusi yksityisviesti

Kaikki uudet viestit

Ilman vastauksia olevat viestiketjut

sunnuntai 16.11.2025 / 00:55

Hae keskustelualueilta:

In English

Suomeksi

På svenska

afterdawn.com > keskustelu > yleistä keskustelua tietokoneista > virukset ja haittaohjelmat - hijackthis -logit > taskmanager.hijack ei lähde pois. hjt logi

Aiheet

Keskustelualueet

Keskustelualueet

Aloita uusi viestiketju

TaskManager.Hijack ei lähde pois. Hjt Logi

Siirry:

Kirjoittaja

Viesti

Sivu:	<	1	2

Jead

Junior Member

6. joulukuuta 2008 @ 17:09

Linkki tähän viestiin

Scan logikin on mutta se on aivan tajuttoman pitkä joten laitan nyt vain tämän. Voin kyllä upata sen vaikka johonkin jos siitä on mitään apua

File C:\WINDOWS\system32\drivers\explore.exe infected by "Backdoor.Win32.Rbot.wec" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Tiedostot\pamela\_aleste.exe infected by "Worm.Python.Lesta.a" Virus. Action Taken: File Deleted.
File C:\f8h3l5y5t8l1.exe infected by "Backdoor.Win32.Rbot.wec" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{361AF178-CDFE-4E68-84C7-5BFD1FF1D339}\RP7\A0002296.exe infected by "Backdoor.Win32.Rbot.wec" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{361AF178-CDFE-4E68-84C7-5BFD1FF1D339}\RP7\A0002297.exe infected by "Worm.Python.Lesta.a" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{361AF178-CDFE-4E68-84C7-5BFD1FF1D339}\RP7\A0002298.exe infected by "Backdoor.Win32.Rbot.wec" Virus. Action Taken: File Renamed.
File C:\vncviewer.exe tagged as not-a-virus:RemoteAdmin.Win32.WinVNC-based.j. No Action Taken.
File E:\PELIT\dosbox\c\nEGGEI\pno0001.exe infected by "Trojan.Win32.Pakes.yf" Virus. Action Taken: File Deleted.
File E:\SmitfraudFix\Reboot.exe tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.
File E:\System Volume Information\_restore{361AF178-CDFE-4E68-84C7-5BFD1FF1D339}\RP7\A0002299.exe infected by "Trojan.Win32.Pakes.yf" Virus. Action Taken: File Deleted.

Hujo

Suspended permanently

6. joulukuuta 2008 @ 17:17

Linkki tähän viestiin

laita koko tajuttoman pitkä lista kokonaan :D

Voiko tietsikka koskaan toimia?

Jead

Junior Member

6. joulukuuta 2008 @ 17:47

Linkki tähän viestiin

http://myfreefilehosting.com/f/4b034a2dc0_12.69MB

En saanut postattua niin piti upata : [

Hujo

Suspended permanently

6. joulukuuta 2008 @ 18:35

Linkki tähän viestiin

Siellä on 4 deletoitu
sitten on 4 nimetty uudeleen
parille ei ole tehty mitään
SmitfraudFix tälle ei ole tehty mitään eikä tarvii

===============

1. Klikkaa käynnistä > Oma tietokone oikean puoleisella hiiren napilla
2. Valitse ominaisuudet
3. Valitse järjestelmän palauttaminen välilehti
4. Ruksi eteen ¤ poista järjestelmän palauttaminen kaikissa asemissa
5. Paina Käytä
6. Paina ok
7. Sammuta ja käynnistä
8. Ota ruksi pois ¤ poista järjestelmän palauttaminen kaikissa asemissa
9. Käytä ja OK

==============

scannaa uusi hjt:n loki

Voiko tietsikka koskaan toimia?

Jead

Junior Member

6. joulukuuta 2008 @ 18:51

Linkki tähän viestiin

Asensin Zonealarmin koneeseen kun windowssin palomuuri ei toimi ja täytyy tuota konetta kuitenkin heittää netissä aina noiden ohjelmien päivitysten ajaksi.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50:52, on 6.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
E:\Program Files\adaware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\javaa\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\Logi_MwX.Exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\javaa\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\SYSMON.EXE
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\SYSMON.EXE
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\javaa\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\javaa\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\javaa\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\javaa\bin\jusched.exe"
O4 - HKLM\..\Run: [SYSMON.EXE] C:\WINDOWS\system32\drivers\SYSMON.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\WINDOWS\TEMP\E_S463.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\adaware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\javaa\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6460 bytes

Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 6. joulukuuta 2008 @ 18:53

Hujo

Suspended permanently

6. joulukuuta 2008 @ 19:21

Linkki tähän viestiin

Otas tuo takasin koneelle scanna sillä loki

1.Lataa Combofix.exe työpöydällesi yhdestä linkistä:
Combofix1
Combofix2

2. Tuplaklikkaa Combofix.exe tiedostoa ja seuraa ohjeistuksia.
3. Kun työkalu on valmis, se tuottaa lokin. Lähetä tämä loki viesti ketjuusi.
Huom! Älä klikkaile combofixin ikkunaa käytön aikana. Tämä saattaa aiheuttaa ohjelman jumiutumisen.

Voiko tietsikka koskaan toimia?

Jead

Junior Member

6. joulukuuta 2008 @ 19:54

Linkki tähän viestiin

Keskeytyy puolivälissä. Poistaa kansioita:
H

Kohdetta %Windr%/system32/drivers/SYSMON.exe ei löydy.

Catchme.cfexe
Asema A ei ole valmiina, Aseman luukku voi olla avoinna. Tarkista asema a ja varmista että levyke on asemassa ja että aseman luukku on suljettuna.

|Peruuta||Yritä Uudelleen||Jatka->| minkä tahansa noista valitsee niin kestää 5 sekuntia ja error iskee uudestaan. Nyt olen vähän että mitäs teen kun en edes omista A: asemaa

//EDIT ilmeisesti ongelma tulee kun USB tikku on kiinni jolla kuljetan noita filuja tämän koneen ja tuon saastuneen koneen välillä. Otin pois ja combofix toimi.

Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 6. joulukuuta 2008 @ 20:32

Jead

Junior Member

6. joulukuuta 2008 @ 20:49

Linkki tähän viestiin

ComboFix 08-12-05.06 - Jarezed 2008-12-06 20:30:43.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.422 [GMT 2:00]
Sijainti: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Microsoft\backup.ftp
.
---- Previous Run -------
.
c:\windows\system32\Microsoft\backup.ftp
H:\autorun.inf
h:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213
h:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\Desktop.ini
h:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\Rege.exe
h:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\Regme.exe

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-11-06 to 2008-12-06 )))))))))))))))))
.

2008-12-06 17:26 . 2008-12-06 20:41 210,976 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-06 17:26 . 2008-12-06 20:37 4,376 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-06 17:19 . 2008-12-06 17:19 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-06 17:19 . 2008-12-06 17:23 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-06 17:18 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2008-12-06 17:18 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-06 17:16 . 2008-12-06 17:18 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2008-12-06 17:16 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-06 17:16 . 2008-12-06 20:40 353,247 --a------ c:\windows\system32\vsconfig.xml
2008-12-06 17:14 . 2008-12-06 20:41 <KANSIO> d-------- c:\windows\Internet Logs
2008-12-06 15:49 . 2008-12-06 15:49 0 --a------ C:\23990098.$$$
2008-12-06 12:37 . 2008-12-06 12:37 0 --a------ C:\v5t6q1h2q2.exe
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Downloads
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Bases
2008-12-06 12:34 . 2008-12-06 12:50 <KANSIO> d-------- C:\Kaspersky
2008-12-05 23:18 . 2008-12-05 23:17 171,520 -r-hs---- c:\windows\system32\drivers\SYSMON.EXE
2008-12-04 12:31 . 2008-12-04 12:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 12:27 . 2008-12-01 00:14 171,520 --a------ c:\windows\system32\drivers\explore.exe.mwt
2008-12-04 03:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 02:00 . 2008-12-04 02:00 <KANSIO> d-------- C:\HostsXpert
2008-12-04 00:48 . 2008-12-04 00:48 577,536 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 00:46 . 2008-12-04 00:46 <KANSIO> d-------- c:\windows\ERUNT
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSMAUNIN.MIF
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSAVUNIN.MIF
2008-12-03 14:16 . 2008-12-03 14:18 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 01:34 . 2008-12-03 14:15 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 01:34 . 2008-12-03 01:35 246 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-03 01:13 . 2008-12-06 17:46 <KANSIO> d--h----- C:\$AVG8.VAULT$
2008-12-03 01:06 . 2008-12-03 03:41 <KANSIO> d-------- c:\windows\system32\drivers\Avg
2008-12-03 01:06 . 2008-12-03 01:06 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 01:06 . 2008-12-03 01:06 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\program files\AVG
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 01:04 . 2008-12-03 01:04 <KANSIO> d-------- c:\documents and settings\LocalService\Käynnistä-valikko
2008-12-03 00:35 . 2008-12-03 01:22 171,520 --a------ C:\f8h3l5y5t8l1.exe.mwt
2008-12-02 23:53 . 2004-09-14 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-02 23:51 . 2008-12-02 23:51 <KANSIO> d-------- c:\windows\provisioning
2008-12-02 23:47 . 2008-12-02 23:47 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-12-02 23:32 . 2004-07-17 11:40 19,528 --a------ c:\windows\002401_.tmp
2008-12-02 23:28 . 2008-12-02 23:52 <KANSIO> d-------- c:\windows\EHome
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2008-12-02 23:07 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja
2008-12-02 21:13 . 2008-10-16 14:08 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:13 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:13 . 2008-10-16 14:07 18,968 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 15:53 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-30 17:00 . 2008-11-30 17:00 <KANSIO> d-------- c:\windows\system32\msmq

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 18:39 42,496 ----a-w c:\windows\system32\ftp.exe
2008-12-06 18:38 613,698 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-03 11:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 23:01 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-12-02 22:58 96,256 ----a-w c:\windows\system32\drivers\sptd9821.sys
2008-11-30 20:27 --------- d-----w c:\documents and settings\Jarezed\Application Data\OpenOffice.org2
2008-11-01 18:04 --------- d-----w c:\documents and settings\Jarezed\Application Data\U3
2008-10-28 15:19 --------- d-----w c:\documents and settings\Jarezed\Application Data\uTorrent
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-08-13 14:19 24 ----a-w c:\documents and settings\Jarezed\jagex_runescape_preferences.dat
2007-12-07 13:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-24 08:12 56 --sh--r c:\windows\system32\241FD2F4A6.sys
2007-12-24 08:12 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-14 15360]
"EPSON Stylus Photo R265 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE" [2006-05-19 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"SunJavaUpdateSched"="e:\program files\javaa\bin\jusched.exe" [2008-12-04 136600]
"SYSMON.EXE"="c:\windows\system32\drivers\SYSMON.EXE" [2008-12-05 171520]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-14 15360]

c:\documents and settings\All Users\K?ynnist?-valikko\Ohjelmat\K?ynnistys\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-28 110592]
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-03 12936]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-02 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;c:\windows\system32\DRIVERS\netflx3.sys [2006-03-26 65278]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0466fae0-a832-11dd-9f13-0008c7fa9d78}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Jarezed\Application Data\Mozilla\Firefox\Profiles\skchpaut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fi
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - e:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npdeploytk.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npjp2.dll
FF -: plugin - e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 20:39:10
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Muut prosessit ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
e:\program files\adaware\aawservice.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
e:\program files\javaa\bin\jqs.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Valmistumisajankohta: 2008-12-06 20:43:48 - kone käynnistettiin uudelleen [Jarezed]
ComboFix-quarantined-files.txt 2008-12-06 18:43:34

Ennen ajoa: 1,466,040,320 tavua vapaana
Ajon jälkeen: 1,466,023,936 tavua vapaana

210

Hujo

Suspended permanently

6. joulukuuta 2008 @ 21:54

Linkki tähän viestiin

Avaa Muistio ja kopioi/liitä lainauksen sisältö sinne:

Lainaus:
File::
C:\WINDOWS\system32\drivers\SYSMON.EXE
c:\windows\system32\241FD2F4A6.sys

Folder::
C:\23990098.$$$
C:\v5t6q1h2q2.exe
C:\f8h3l5y5t8l1.exe.mwt

Driver::
c:\windows\system32\drivers\SYSMON.EXE
c:\windows\system32\drivers\explore.exe.mwt

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.

Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

Voiko tietsikka koskaan toimia?

Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 7. joulukuuta 2008 @ 00:26

Jead

Junior Member

6. joulukuuta 2008 @ 22:20

Linkki tähän viestiin

Uskomatonta mutta totta- ongelma katosi taas. Rukoilen nyt tässä päälläni ettei se tule takaisin.

ComboFix 08-12-05.06 - Jarezed 2008-12-06 22:11:31.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.417 [GMT 2:00]
Running from: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe
Command switches used :: c:\documents and settings\Jarezed\Työpöytä\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\241FD2F4A6.sys
c:\windows\system32\drivers\SYSMON.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\23990098.$$$\
c:\f8h3l5y5t8l1.exe.mwt\
c:\v5t6q1h2q2.exe\
c:\windows\system32\241FD2F4A6.sys
c:\windows\system32\drivers\SYSMON.EXE
c:\windows\system32\Microsoft\backup.ftp

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 22:09 . 2008-12-06 22:09 <KANSIO> d-------- C:\32788R22FWJFW
2008-12-06 17:26 . 2008-12-06 22:18 335,904 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-06 17:26 . 2008-12-06 20:46 5,096 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-06 17:19 . 2008-12-06 17:19 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-06 17:19 . 2008-12-06 17:23 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-06 17:18 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2008-12-06 17:18 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-06 17:16 . 2008-12-06 17:18 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2008-12-06 17:16 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-06 17:16 . 2008-12-06 20:49 353,247 --a------ c:\windows\system32\vsconfig.xml
2008-12-06 17:14 . 2008-12-06 20:52 <KANSIO> d-------- c:\windows\Internet Logs
2008-12-06 15:49 . 2008-12-06 15:49 0 --a------ C:\23990098.$$$
2008-12-06 12:37 . 2008-12-06 12:37 0 --a------ C:\v5t6q1h2q2.exe
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Downloads
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Bases
2008-12-06 12:34 . 2008-12-06 12:50 <KANSIO> d-------- C:\Kaspersky
2008-12-04 12:31 . 2008-12-04 12:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 12:27 . 2008-12-01 00:14 171,520 --a------ c:\windows\system32\drivers\explore.exe.mwt
2008-12-04 03:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 02:00 . 2008-12-04 02:00 <KANSIO> d-------- C:\HostsXpert
2008-12-04 00:48 . 2008-12-04 00:48 577,536 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 00:46 . 2008-12-04 00:46 <KANSIO> d-------- c:\windows\ERUNT
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSMAUNIN.MIF
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSAVUNIN.MIF
2008-12-03 14:16 . 2008-12-03 14:18 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 01:34 . 2008-12-03 14:15 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 01:34 . 2008-12-03 01:35 246 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-03 01:13 . 2008-12-06 17:46 <KANSIO> d--h----- C:\$AVG8.VAULT$
2008-12-03 01:06 . 2008-12-03 03:41 <KANSIO> d-------- c:\windows\system32\drivers\Avg
2008-12-03 01:06 . 2008-12-03 01:06 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 01:06 . 2008-12-03 01:06 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\program files\AVG
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 01:04 . 2008-12-03 01:04 <KANSIO> d-------- c:\documents and settings\LocalService\Käynnistä-valikko
2008-12-03 00:35 . 2008-12-03 01:22 171,520 --a------ C:\f8h3l5y5t8l1.exe.mwt
2008-12-02 23:53 . 2004-09-14 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-02 23:51 . 2008-12-02 23:51 <KANSIO> d-------- c:\windows\provisioning
2008-12-02 23:47 . 2008-12-02 23:47 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-12-02 23:32 . 2004-07-17 11:40 19,528 --a------ c:\windows\002401_.tmp
2008-12-02 23:28 . 2008-12-02 23:52 <KANSIO> d-------- c:\windows\EHome
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2008-12-02 23:07 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja
2008-12-02 21:13 . 2008-10-16 14:08 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:13 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:13 . 2008-10-16 14:07 18,968 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 15:53 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-30 17:00 . 2008-11-30 17:00 <KANSIO> d-------- c:\windows\system32\msmq

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 18:48 42,496 ----a-w c:\windows\system32\ftp.exe
2008-12-06 18:38 613,698 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-03 11:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 23:01 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-12-02 22:58 96,256 ----a-w c:\windows\system32\drivers\sptd9821.sys
2008-11-30 20:27 --------- d-----w c:\documents and settings\Jarezed\Application Data\OpenOffice.org2
2008-11-01 18:04 --------- d-----w c:\documents and settings\Jarezed\Application Data\U3
2008-10-28 15:19 --------- d-----w c:\documents and settings\Jarezed\Application Data\uTorrent
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-08-13 14:19 24 ----a-w c:\documents and settings\Jarezed\jagex_runescape_preferences.dat
2007-12-07 13:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-24 08:12 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_20.42.06.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 18:39:08 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-06 18:48:49 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-06 18:49:09 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-14 15360]
"EPSON Stylus Photo R265 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE" [2006-05-19 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"SunJavaUpdateSched"="e:\program files\javaa\bin\jusched.exe" [2008-12-04 136600]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-14 15360]

c:\documents and settings\All Users\K?ynnist?-valikko\Ohjelmat\K?ynnistys\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-28 110592]
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-03 12936]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-02 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;c:\windows\system32\DRIVERS\netflx3.sys [2006-03-26 65278]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0466fae0-a832-11dd-9f13-0008c7fa9d78}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SYSMON.EXE - c:\windows\system32\drivers\SYSMON.EXE

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Jarezed\Application Data\Mozilla\Firefox\Profiles\skchpaut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fi
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - e:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npdeploytk.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npjp2.dll
FF -: plugin - e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 22:17:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-06 22:20:47
ComboFix-quarantined-files.txt 2008-12-06 20:20:40
ComboFix2.txt 2008-12-06 18:44:06

Pre-Run: 1 453 051 904 tavua vapaana
Post-Run: 1,425,285,120 tavua vapaana

199

Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 6. joulukuuta 2008 @ 22:25

Hujo

Suspended permanently

6. joulukuuta 2008 @ 22:42

Linkki tähän viestiin

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Lainaus:
File::
C:\23990098.$$$
C:\v5t6q1h2q2.exe
c:\windows\system32\drivers\explore.exe.mwt

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.

Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

Voiko tietsikka koskaan toimia?

Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 6. joulukuuta 2008 @ 22:48

Jead

Junior Member

6. joulukuuta 2008 @ 23:03

Linkki tähän viestiin

Ei pyydetty käynnistämään uudelleen : (

ComboFix 08-12-05.06 - Jarezed 2008-12-06 22:55:17.11 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.393 [GMT 2:00]
Sijainti: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\Jarezed\Työpöytä\CFScript.txt
* Uusi palautuspiste luotu

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!

FILE ::
C:\23990098.$$$
C:\v5t6q1h2q2.exe
c:\windows\system32\drivers\explore.exe.mwt
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\23990098.$$$
C:\v5t6q1h2q2.exe
c:\windows\system32\drivers\explore.exe.mwt

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-11-06 to 2008-12-06 )))))))))))))))))
.

2008-12-06 17:26 . 2008-12-06 23:01 407,584 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-06 17:26 . 2008-12-06 20:46 5,096 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-06 17:19 . 2008-12-06 17:19 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-06 17:19 . 2008-12-06 17:23 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-06 17:18 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2008-12-06 17:18 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-06 17:16 . 2008-12-06 17:18 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2008-12-06 17:16 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-06 17:16 . 2008-12-06 20:49 353,247 --a------ c:\windows\system32\vsconfig.xml
2008-12-06 17:14 . 2008-12-06 20:52 <KANSIO> d-------- c:\windows\Internet Logs
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Downloads
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Bases
2008-12-06 12:34 . 2008-12-06 12:50 <KANSIO> d-------- C:\Kaspersky
2008-12-04 12:31 . 2008-12-04 12:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 03:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 02:00 . 2008-12-04 02:00 <KANSIO> d-------- C:\HostsXpert
2008-12-04 00:48 . 2008-12-04 00:48 577,536 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 00:46 . 2008-12-04 00:46 <KANSIO> d-------- c:\windows\ERUNT
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSMAUNIN.MIF
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSAVUNIN.MIF
2008-12-03 14:16 . 2008-12-03 14:18 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 01:34 . 2008-12-03 14:15 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 01:34 . 2008-12-03 01:35 246 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-03 01:13 . 2008-12-06 17:46 <KANSIO> d--h----- C:\$AVG8.VAULT$
2008-12-03 01:06 . 2008-12-03 03:41 <KANSIO> d-------- c:\windows\system32\drivers\Avg
2008-12-03 01:06 . 2008-12-03 01:06 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 01:06 . 2008-12-03 01:06 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\program files\AVG
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 01:04 . 2008-12-03 01:04 <KANSIO> d-------- c:\documents and settings\LocalService\Käynnistä-valikko
2008-12-03 00:35 . 2008-12-03 01:22 171,520 --a------ C:\f8h3l5y5t8l1.exe.mwt
2008-12-02 23:53 . 2004-09-14 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-02 23:51 . 2008-12-02 23:51 <KANSIO> d-------- c:\windows\provisioning
2008-12-02 23:47 . 2008-12-02 23:47 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-12-02 23:32 . 2004-07-17 11:40 19,528 --a------ c:\windows\002401_.tmp
2008-12-02 23:28 . 2008-12-02 23:52 <KANSIO> d-------- c:\windows\EHome
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2008-12-02 23:07 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja
2008-12-02 21:13 . 2008-10-16 14:08 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:13 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:13 . 2008-10-16 14:07 18,968 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 15:53 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-30 17:00 . 2008-11-30 17:00 <KANSIO> d-------- c:\windows\system32\msmq

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 18:48 42,496 ----a-w c:\windows\system32\ftp.exe
2008-12-06 18:38 613,698 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-03 11:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 23:01 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-12-02 22:58 96,256 ----a-w c:\windows\system32\drivers\sptd9821.sys
2008-11-30 20:27 --------- d-----w c:\documents and settings\Jarezed\Application Data\OpenOffice.org2
2008-11-01 18:04 --------- d-----w c:\documents and settings\Jarezed\Application Data\U3
2008-10-28 15:19 --------- d-----w c:\documents and settings\Jarezed\Application Data\uTorrent
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-08-13 14:19 24 ----a-w c:\documents and settings\Jarezed\jagex_runescape_preferences.dat
2007-12-07 13:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-24 08:12 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_20.42.06.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 18:39:08 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-06 18:48:49 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-06 18:49:09 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1b4.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-14 15360]
"EPSON Stylus Photo R265 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE" [2006-05-19 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"SunJavaUpdateSched"="e:\program files\javaa\bin\jusched.exe" [2008-12-04 136600]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-14 15360]

c:\documents and settings\All Users\K?ynnist?-valikko\Ohjelmat\K?ynnistys\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-28 110592]
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-03 12936]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-02 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;c:\windows\system32\DRIVERS\netflx3.sys [2006-03-26 65278]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0466fae0-a832-11dd-9f13-0008c7fa9d78}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Jarezed\Application Data\Mozilla\Firefox\Profiles\skchpaut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fi
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - e:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npdeploytk.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npjp2.dll
FF -: plugin - e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 23:00:50
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
.
Valmistumisajankohta: 2008-12-06 23:03:44
ComboFix-quarantined-files.txt 2008-12-06 21:03:37
ComboFix2.txt 2008-12-06 20:20:56
ComboFix3.txt 2008-12-06 18:44:06

Ennen ajoa: 1 410 768 896 tavua vapaana
Ajon jälkeen: 1,388,277,760 tavua vapaana

192

Hujo

Suspended permanently

6. joulukuuta 2008 @ 23:10

Linkki tähän viestiin

Avaa Muistio ja kopioi/liitä quoteboxin sisältö sinne:

Lainaus:
File::
C:\f8h3l5y5t8l1.exe.mwt

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.

Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne

============

sammuta ja käynnistä
scannaa sitten vielä hjt:n loki uusi

Voiko tietsikka koskaan toimia?

Jead

Junior Member

6. joulukuuta 2008 @ 23:35

Linkki tähän viestiin

ComboFix 08-12-05.06 - Jarezed 2008-12-06 23:20:59.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.378 [GMT 2:00]
Sijainti: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\Jarezed\Työpöytä\CFScript.txt
* Uusi palautuspiste luotu

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!

FILE ::
C:\f8h3l5y5t8l1.exe.mwt
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\f8h3l5y5t8l1.exe.mwt
c:\windows\system32\Microsoft\backup.ftp

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-11-06 to 2008-12-06 )))))))))))))))))
.

2008-12-06 23:17 . 2008-12-05 23:17 171,520 -r-hs---- c:\windows\system32\drivers\SYSMON.EXE
2008-12-06 17:26 . 2008-12-06 23:27 477,216 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-06 17:26 . 2008-12-06 20:46 5,096 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-06 17:19 . 2008-12-06 17:19 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-06 17:19 . 2008-12-06 17:23 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-06 17:18 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2008-12-06 17:18 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-06 17:16 . 2008-12-06 17:18 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2008-12-06 17:16 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-06 17:16 . 2008-12-06 20:49 353,247 --a------ c:\windows\system32\vsconfig.xml
2008-12-06 17:14 . 2008-12-06 20:52 <KANSIO> d-------- c:\windows\Internet Logs
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Downloads
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Bases
2008-12-06 12:34 . 2008-12-06 12:50 <KANSIO> d-------- C:\Kaspersky
2008-12-04 12:31 . 2008-12-04 12:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 03:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 02:00 . 2008-12-04 02:00 <KANSIO> d-------- C:\HostsXpert
2008-12-04 00:48 . 2008-12-04 00:48 577,536 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 00:46 . 2008-12-04 00:46 <KANSIO> d-------- c:\windows\ERUNT
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSMAUNIN.MIF
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSAVUNIN.MIF
2008-12-03 14:16 . 2008-12-03 14:18 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 01:34 . 2008-12-03 14:15 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 01:34 . 2008-12-03 01:35 246 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-03 01:13 . 2008-12-06 17:46 <KANSIO> d--h----- C:\$AVG8.VAULT$
2008-12-03 01:06 . 2008-12-03 03:41 <KANSIO> d-------- c:\windows\system32\drivers\Avg
2008-12-03 01:06 . 2008-12-03 01:06 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 01:06 . 2008-12-03 01:06 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\program files\AVG
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 01:04 . 2008-12-03 01:04 <KANSIO> d-------- c:\documents and settings\LocalService\Käynnistä-valikko
2008-12-02 23:53 . 2004-09-14 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-02 23:51 . 2008-12-02 23:51 <KANSIO> d-------- c:\windows\provisioning
2008-12-02 23:47 . 2008-12-02 23:47 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-12-02 23:32 . 2004-07-17 11:40 19,528 --a------ c:\windows\002401_.tmp
2008-12-02 23:28 . 2008-12-02 23:52 <KANSIO> d-------- c:\windows\EHome
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2008-12-02 23:07 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja
2008-12-02 21:13 . 2008-10-16 14:08 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:13 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:13 . 2008-10-16 14:07 18,968 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 15:53 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-30 17:00 . 2008-11-30 17:00 <KANSIO> d-------- c:\windows\system32\msmq

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 21:17 42,496 ----a-w c:\windows\system32\ftp.exe
2008-12-06 18:38 613,698 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-03 11:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 23:01 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-12-02 22:58 96,256 ----a-w c:\windows\system32\drivers\sptd9821.sys
2008-11-30 20:27 --------- d-----w c:\documents and settings\Jarezed\Application Data\OpenOffice.org2
2008-11-01 18:04 --------- d-----w c:\documents and settings\Jarezed\Application Data\U3
2008-10-28 15:19 --------- d-----w c:\documents and settings\Jarezed\Application Data\uTorrent
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-08-13 14:19 24 ----a-w c:\documents and settings\Jarezed\jagex_runescape_preferences.dat
2007-12-07 13:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-24 08:12 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_20.42.06.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 18:39:08 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-06 18:48:49 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-06 18:49:09 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1b4.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-14 15360]
"EPSON Stylus Photo R265 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE" [2006-05-19 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"SunJavaUpdateSched"="e:\program files\javaa\bin\jusched.exe" [2008-12-04 136600]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"SYSMON.EXE"="c:\windows\system32\drivers\SYSMON.EXE" [2008-12-05 171520]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-14 15360]

c:\documents and settings\All Users\K?ynnist?-valikko\Ohjelmat\K?ynnistys\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-28 110592]
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe %windir%\\system32\\drivers\\SYSMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-03 12936]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-02 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;c:\windows\system32\DRIVERS\netflx3.sys [2006-03-26 65278]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0466fae0-a832-11dd-9f13-0008c7fa9d78}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Jarezed\Application Data\Mozilla\Firefox\Profiles\skchpaut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fi
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - e:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npdeploytk.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npjp2.dll
FF -: plugin - e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 23:26:17
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll
.
Valmistumisajankohta: 2008-12-06 23:29:09
ComboFix-quarantined-files.txt 2008-12-06 21:29:02
ComboFix2.txt 2008-12-06 21:03:49
ComboFix3.txt 2008-12-06 20:20:56
ComboFix4.txt 2008-12-06 18:44:06

Ennen ajoa: 1 374 420 992 tavua vapaana
Ajon jälkeen: 1,360,867,328 tavua vapaana

199

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:36:02, on 6.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\adaware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\javaa\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\hijack\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\Logi_MwX.Exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\javaa\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\drivers\SYSMON.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\javaa\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\javaa\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\javaa\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\javaa\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SYSMON.EXE] C:\WINDOWS\system32\drivers\SYSMON.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\WINDOWS\TEMP\E_S463.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\adaware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\javaa\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6295 bytes

Hujo

Suspended permanently

7. joulukuuta 2008 @ 00:11

Linkki tähän viestiin

c:\windows\system32\drivers\SYSMON.EXE
Mitä ohjelmaa käytät kun tämä on taas luotu koneelle.
onkos se tikku terve ookos sen tarkastanut virusohjelmalla.

Avaa Muistio ja kopioi/liitä lainauksen sisältö sinne:

Lainaus:
File::
C:\WINDOWS\system32\drivers\SYSMON.EXE

Driver::
c:\windows\system32\drivers\SYSMON.EXE

Tallenna se nimellä CFScript.txt

Sitten raahaa CFScript ComboFix.exeen kuten alla.

Käynnistä tietokone uudelleen pyydettäessä ja lähetä combofix.txt-tiedoston sisältö tänne.

Voiko tietsikka koskaan toimia?

Jead

Junior Member

7. joulukuuta 2008 @ 11:43

Linkki tähän viestiin

En ole laittanut tikkua vielä edes kiinni mutta combofixin jälkeen SYSMON.EXE näkyy silti hjt logissa. Ja alustan tämän tikun aina tältä koneelta saastuneelle koneelle siirrettäessä.

ComboFix 08-12-05.06 - Jarezed 2008-12-07 11:04:41.14 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.445 [GMT 2:00]
Sijainti: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe
Käytetyt komentorivivalitsimet :: c:\documents and settings\Jarezed\Työpöytä\CFScript.txt
* Uusi palautuspiste luotu

VAROITUS - PALAUTUSKONSOLIA EI OLE ASENNETTU !!

FILE ::
c:\windows\system32\drivers\SYSMON.EXE
.

((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-11-07 to 2008-12-07 )))))))))))))))))
.

2008-12-06 17:26 . 2008-12-07 11:11 694,304 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-06 17:26 . 2008-12-07 10:45 9,392 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-06 17:19 . 2008-12-06 17:19 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-06 17:19 . 2008-12-06 17:23 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-06 17:18 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2008-12-06 17:18 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-06 17:16 . 2008-12-06 17:18 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2008-12-06 17:16 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-06 17:16 . 2008-12-07 10:49 353,247 --a------ c:\windows\system32\vsconfig.xml
2008-12-06 17:14 . 2008-12-07 10:50 <KANSIO> d-------- c:\windows\Internet Logs
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Downloads
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Bases
2008-12-06 12:34 . 2008-12-06 12:50 <KANSIO> d-------- C:\Kaspersky
2008-12-04 12:31 . 2008-12-04 12:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 03:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 02:00 . 2008-12-04 02:00 <KANSIO> d-------- C:\HostsXpert
2008-12-04 00:48 . 2008-12-04 00:48 577,536 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 00:46 . 2008-12-04 00:46 <KANSIO> d-------- c:\windows\ERUNT
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSMAUNIN.MIF
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSAVUNIN.MIF
2008-12-03 14:16 . 2008-12-03 14:18 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 01:34 . 2008-12-03 14:15 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 01:34 . 2008-12-03 01:35 246 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-03 01:13 . 2008-12-07 10:11 <KANSIO> d--h----- C:\$AVG8.VAULT$
2008-12-03 01:06 . 2008-12-03 03:41 <KANSIO> d-------- c:\windows\system32\drivers\Avg
2008-12-03 01:06 . 2008-12-03 01:06 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 01:06 . 2008-12-03 01:06 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\program files\AVG
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 01:04 . 2008-12-03 01:04 <KANSIO> d-------- c:\documents and settings\LocalService\Käynnistä-valikko
2008-12-02 23:53 . 2004-09-14 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-02 23:51 . 2008-12-02 23:51 <KANSIO> d-------- c:\windows\provisioning
2008-12-02 23:47 . 2008-12-02 23:47 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-12-02 23:32 . 2004-07-17 11:40 19,528 --a------ c:\windows\002401_.tmp
2008-12-02 23:28 . 2008-12-02 23:52 <KANSIO> d-------- c:\windows\EHome
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2008-12-02 23:07 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja
2008-12-02 21:13 . 2008-10-16 14:08 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:13 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:13 . 2008-10-16 14:07 18,968 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 15:53 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-30 17:00 . 2008-11-30 17:00 <KANSIO> d-------- c:\windows\system32\msmq

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 07:30 42,496 ----a-w c:\windows\system32\ftp.exe
2008-12-06 21:32 1,225,227 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-03 11:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 23:01 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-12-02 22:58 96,256 ----a-w c:\windows\system32\drivers\sptd9821.sys
2008-11-30 20:27 --------- d-----w c:\documents and settings\Jarezed\Application Data\OpenOffice.org2
2008-11-01 18:04 --------- d-----w c:\documents and settings\Jarezed\Application Data\U3
2008-10-28 15:19 --------- d-----w c:\documents and settings\Jarezed\Application Data\uTorrent
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-08-13 14:19 24 ----a-w c:\documents and settings\Jarezed\jagex_runescape_preferences.dat
2007-12-07 13:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-24 08:12 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_20.42.06.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 18:39:08 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-07 08:47:47 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-07 08:47:52 16,384 ----atw c:\windows\temp\Perflib_Perfdata_100.dat
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-14 15360]
"EPSON Stylus Photo R265 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE" [2006-05-19 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"SunJavaUpdateSched"="e:\program files\javaa\bin\jusched.exe" [2008-12-04 136600]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"SYSMON.EXE"="c:\windows\system32\drivers\SYSMON.EXE" [BU]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-14 15360]

c:\documents and settings\All Users\K?ynnist?-valikko\Ohjelmat\K?ynnistys\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-28 110592]
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-03 12936]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-02 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;c:\windows\system32\DRIVERS\netflx3.sys [2006-03-26 65278]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0466fae0-a832-11dd-9f13-0008c7fa9d78}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
.
------- Täydentävä tarkistus -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Jarezed\Application Data\Mozilla\Firefox\Profiles\skchpaut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fi
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - e:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npdeploytk.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npjp2.dll
FF -: plugin - e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 11:10:42
Windows 5.1.2600 Service Pack 2 NTFS

tarkistaa piilotettuja prosesseja ...

tarkistaa piilotettuja käynnistysarvoja ...

tarkistaa piilotettuja tiedostoja ...

tarkistus on valmis
piilotetut tiedostot: 0

**************************************************************************
.
--------------------- Prosesseihin ladatut DLLt ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3044)
c:\windows\System32\tabhook.dll
c:\windows\system32\msi.dll
.
Valmistumisajankohta: 2008-12-07 11:13:40
ComboFix-quarantined-files.txt 2008-12-07 09:13:29
ComboFix2.txt 2008-12-07 08:44:51
ComboFix3.txt 2008-12-06 21:29:14
ComboFix4.txt 2008-12-06 21:03:49
ComboFix5.txt 2008-12-07 09:03:24

Ennen ajoa: 1 317 306 368 tavua vapaana
Ajon jälkeen: 1,294,393,344 tavua vapaana

188

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:55, on 7.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\adaware\aawservice.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\Logi_MwX.Exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\javaa\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
E:\hijack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\javaa\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\javaa\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\javaa\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\javaa\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SYSMON.EXE] C:\WINDOWS\system32\drivers\SYSMON.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\WINDOWS\TEMP\E_S463.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\adaware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\javaa\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5972 bytes

Hujo

Suspended permanently

7. joulukuuta 2008 @ 18:10

Linkki tähän viestiin

Etsi tuo polkua seuraten löytyykö tuolta

C:\WINDOWS\system32\drivers\SYSMON.EXE

Käynnistä > suorita kirjoita msconfig > ok
Käynnistys välilehti

Ota alla olevien edestä ruksi pois

SYSMON

käytä ja ok
Käynnistä kone uudelleen ja laita pikkuseen neliöön ruksi ja paina sitten vasta ok

Voiko tietsikka koskaan toimia?

Viestiä on muokattu lähettämisen jälkeen. Viimeisin muokkaus 7. joulukuuta 2008 @ 18:20

Jead

Junior Member

7. joulukuuta 2008 @ 19:42

Linkki tähän viestiin

SYSMON.EXE ei löytynyt manuualisesti kansiosta mutta sain sen pois msconfigista. Ei käynnistynyt enää. Voinko nyt olla varma ettei se tule takaisin? AVG löytää jotain troijalaisiin viittaavaa aina välillä kyllä ja hälyttää niistä mutta ei kuitenkaan suostu tekemään asialle mitään.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:35:12, on 7.12.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\adaware\aawservice.exe
E:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\Logi_MwX.Exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\javaa\bin\jusched.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\javaa\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
E:\hijack\HijackThis.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - E:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\javaa\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\javaa\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\javaa\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\javaa\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R265 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE /FU "C:\WINDOWS\TEMP\E_S463.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\javaa\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\adaware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\javaa\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6184 bytes

Hujo

Suspended permanently

7. joulukuuta 2008 @ 19:51

Linkki tähän viestiin

scannaa nyt uusi combofix loki

Voiko tietsikka koskaan toimia?

Jead

Junior Member

7. joulukuuta 2008 @ 21:51

Linkki tähän viestiin

ComboFix 08-12-05.06 - Jarezed 2008-12-07 21:32:55.15 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.418 [GMT 2:00]
Running from: c:\documents and settings\Jarezed\Työpöytä\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 21:30 . 2008-12-07 21:31 <KANSIO> d-------- C:\32788R22FWJFW
2008-12-06 17:26 . 2008-12-07 21:40 1,460,256 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-06 17:26 . 2008-12-07 19:31 18,152 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-06 17:19 . 2008-12-06 17:19 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-06 17:19 . 2008-12-06 17:23 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-06 17:18 . 2007-09-06 16:14 75,248 --a------ c:\windows\zllsputility.exe
2008-12-06 17:18 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-06 17:16 . 2008-12-06 17:18 <KANSIO> d-------- c:\windows\system32\ZoneLabs
2008-12-06 17:16 . 2007-09-06 16:14 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-06 17:16 . 2008-12-07 19:34 353,247 --a------ c:\windows\system32\vsconfig.xml
2008-12-06 17:14 . 2008-12-07 19:35 <KANSIO> d-------- c:\windows\Internet Logs
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Downloads
2008-12-06 12:36 . 2008-12-06 12:50 <KANSIO> d-------- C:\Bases
2008-12-06 12:34 . 2008-12-06 12:50 <KANSIO> d-------- C:\Kaspersky
2008-12-04 12:31 . 2008-12-04 12:30 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 03:08 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:08 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 02:00 . 2008-12-04 02:00 <KANSIO> d-------- C:\HostsXpert
2008-12-04 00:48 . 2008-12-04 00:48 577,536 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-04 00:46 . 2008-12-04 00:46 <KANSIO> d-------- c:\windows\ERUNT
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSMAUNIN.MIF
2008-12-04 00:23 . 2008-12-04 00:23 2,517 --a------ c:\windows\FSAVUNIN.MIF
2008-12-03 14:16 . 2008-12-03 14:18 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 01:34 . 2008-12-03 14:15 <KANSIO> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 01:34 . 2008-12-03 01:35 246 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-03 01:13 . 2008-12-07 12:22 <KANSIO> d--h----- C:\$AVG8.VAULT$
2008-12-03 01:06 . 2008-12-03 03:41 <KANSIO> d-------- c:\windows\system32\drivers\Avg
2008-12-03 01:06 . 2008-12-03 01:06 98,440 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 90,632 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 01:06 . 2008-12-03 01:06 12,936 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-03 01:06 . 2008-12-03 01:06 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\program files\AVG
2008-12-03 01:05 . 2008-12-03 01:05 <KANSIO> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 01:04 . 2008-12-03 01:04 <KANSIO> d-------- c:\documents and settings\LocalService\Käynnistä-valikko
2008-12-02 23:53 . 2004-09-14 16:12 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-02 23:51 . 2008-12-02 23:51 <KANSIO> d-------- c:\windows\provisioning
2008-12-02 23:47 . 2008-12-02 23:47 <KANSIO> d-------- c:\windows\ServicePackFiles
2008-12-02 23:32 . 2004-07-17 11:40 19,528 --a------ c:\windows\002401_.tmp
2008-12-02 23:28 . 2008-12-02 23:52 <KANSIO> d-------- c:\windows\EHome
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Verkkoympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Työpöytä
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Tulostinympäristö
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja\Suosikit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:18 <KANSIO> d--h----- c:\documents and settings\Järjestelmänvalvoja\Mallit
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2006-03-26 11:10 <KANSIO> dr------- c:\documents and settings\Järjestelmänvalvoja\Käynnistä-valikko
2008-12-02 23:07 . 2008-12-02 23:07 <KANSIO> d-------- c:\documents and settings\Järjestelmänvalvoja
2008-12-02 21:13 . 2008-10-16 14:08 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:13 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:13 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:13 . 2008-10-16 14:07 18,968 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 15:53 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-11-30 17:00 . 2008-11-30 17:00 <KANSIO> d-------- c:\windows\system32\msmq

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 17:32 1,825,679 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-12-07 07:30 42,496 ----a-w c:\windows\system32\ftp.exe
2008-12-03 11:36 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-02 23:01 359,040 ------w c:\windows\system32\drivers\tcpip.sys
2008-12-02 22:58 96,256 ----a-w c:\windows\system32\drivers\sptd9821.sys
2008-11-30 20:27 --------- d-----w c:\documents and settings\Jarezed\Application Data\OpenOffice.org2
2008-11-01 18:04 --------- d-----w c:\documents and settings\Jarezed\Application Data\U3
2008-10-28 15:19 --------- d-----w c:\documents and settings\Jarezed\Application Data\uTorrent
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-08-13 14:19 24 ----a-w c:\documents and settings\Jarezed\jagex_runescape_preferences.dat
2007-12-07 13:13 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-12-24 08:12 1,682 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-06_20.42.06.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 18:39:08 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-07 17:33:21 18,409 ----a-w c:\windows\system32\tablet.dat
+ 2008-12-07 17:33:39 16,384 ----atw c:\windows\temp\Perflib_Perfdata_110.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-14 15360]
"EPSON Stylus Photo R265 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBNE.EXE" [2006-05-19 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="e:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"SunJavaUpdateSched"="e:\program files\javaa\bin\jusched.exe" [2008-12-04 136600]
"ZoneAlarm Client"="e:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-09-14 15360]

c:\documents and settings\All Users\K?ynnist?-valikko\Ohjelmat\K?ynnistys\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-28 110592]
Adobe Reader Speed Launch.lnk - e:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-12-03 12936]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-02 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 90632]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;c:\windows\system32\DRIVERS\netflx3.sys [2006-03-26 65278]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0466fae0-a832-11dd-9f13-0008c7fa9d78}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SYSMON - c:\windows\system32\drivers\SYSMON.EXE

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &D&ownload &with BitComet - e:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - e:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - e:\program files\BitComet\BitComet.exe/AddAllLink.htm

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FireFox -: Profile - c:\documents and settings\Jarezed\Application Data\Mozilla\Firefox\Profiles\skchpaut.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fi
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF -: plugin - e:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npdeploytk.dll
FF -: plugin - e:\program files\javaa\bin\new_plugin\npjp2.dll
FF -: plugin - e:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 21:39:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2608)
c:\windows\System32\tabhook.dll
c:\windows\system32\msi.dll
.
Completion time: 2008-12-07 21:43:00
ComboFix-quarantined-files.txt 2008-12-07 19:42:48
ComboFix2.txt 2008-12-07 09:13:45
ComboFix3.txt 2008-12-07 08:44:51
ComboFix4.txt 2008-12-06 21:29:14
ComboFix5.txt 2008-12-07 19:32:00

Pre-Run: 1 344 831 488 tavua vapaana
Post-Run: 1,318,252,544 tavua vapaana

186

Hujo

Suspended permanently

7. joulukuuta 2008 @ 22:02

Linkki tähän viestiin

Jokos helpotti koneen toiminta? näytti poistaneen sen mitä jahdatiin.

Voiko tietsikka koskaan toimia?

Mainos

Jead

Junior Member

8. joulukuuta 2008 @ 14:17

Linkki tähän viestiin

Nyt toimii ja ei ole ainakaan vielä törmännyt takaisin. VVVVValtavan suuri tervehdys eä ja kiitos kun sain tämän nyt kuntoon!! Pelastit meikäläisen saatanalliselta forkkausprosessilta. RLY thänks!

Sivu:	<	1	2

Aloita uusi viestiketju

Aiheeseen liittyviä linkkejä

Lataa uusin versio HijackThis-ohjelmasta täältä!

Aiheeseen liittyviä viestiketjuja		Viestejä	Viimeisin viesti	Keskustelualue
HJT Logi		2	3. kesäkuuta 2014	Virukset ja haittaohjelmat - HijackThis -logit
HJT-logi ja vale-firefox ongelmia....virus koneella ?		4	6. toukokuuta 2014	Virukset ja haittaohjelmat - HijackThis -logit
HJT logi, kone jumittaa		1	3. huhtikuuta 2014	Virukset ja haittaohjelmat - HijackThis -logit
Näppäimistö sekoilee hjt log		1	2. huhtikuuta 2014	Virukset ja haittaohjelmat - HijackThis -logit
HJT-log ja Malwarebytes- log, Troijalainen? Apu tarpeen!		2	10. maaliskuuta 2014	Virukset ja haittaohjelmat - HijackThis -logit
HJT-loki, kone valtavan hidas ja perusskannereiden läpi ajamisella ei vaikutusta		1	19. helmikuuta 2014	Virukset ja haittaohjelmat - HijackThis -logit
probook 445 hjt-logit		1	19. tammikuuta 2014	Virukset ja haittaohjelmat - HijackThis -logit
HJT loki tarkastukseen		1	19. tammikuuta 2014	Virukset ja haittaohjelmat - HijackThis -logit
Win7 + HJT ongelma ja kummitteleva Mass effect 2		1	11. tammikuuta 2014	Windows -ongelmat
HJT-logia..		1	9. tammikuuta 2014	Virukset ja haittaohjelmat - HijackThis -logit

afterdawn.com > keskustelu > yleistä keskustelua tietokoneista > virukset ja haittaohjelmat - hijackthis -logit > taskmanager.hijack ei lähde pois. hjt logi

Apua ongelmiin: AfterDawnin keskustelualueet | AfterDawnin Vastaukset
Uutiset: IT-alan uutiset | Uutisia puhelimista
Musiikkia: MP3Lizard.com
Tuotearviot: Laitevertailu | Vertaa puhelimia | Vertaa kännykkäliittymiä
Pelit: Pelitiedostot, pelidemot ja trailerit
Ohjelmat: download.fi | AfterDawnin ohjelma-alueet
International: AfterDawn in English | Software downloads | Free, legal MP3s | AfterDawn på svenska
RSS -syötteet: AfterDawnin uutiset | Uusimmat ohjelmapäivitykset | Keskustelualueiden viestit
Tietoja: Tietoa AfterDawn Oy:stä | Mainosta sivuillamme | Sivuston käyttöehdot ja tietoja yksityisyydensuojasta
Ota yhteyttä: Lähetä palautetta | Ota yhteyttä mainosmyyntiimme

© 1999-2025 AfterDawn Oy